Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Regulation of Transborder Data Flows under ... - Tilburg University
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Kuner/<strong>Regulation</strong> <strong>of</strong> <strong>Transborder</strong> <strong>Data</strong> <strong>Flows</strong> <strong>under</strong> <strong>Data</strong> Protection and Privacy Law 11<br />
‘international data transfers’ in the sense <strong>of</strong> data protection law and may therefore be<br />
subject to a duty <strong>of</strong> notification, must be vastly greater than the number that was<br />
<strong>of</strong>ficially notified.<br />
--Greater direct involvement <strong>of</strong> individuals in transborder data flows. The<br />
development <strong>of</strong> new technologies and business models for processing personal data has<br />
led to a greater direct involvement <strong>of</strong> individuals in the way that their data are transferred<br />
across national borders. In particular, phenomena such as electronic commerce and online<br />
social networks have made it possible for individuals to initiate and even control the<br />
transborder transfer <strong>of</strong> their personal data to a much greater extent than in the past. For<br />
example, online hotel reservation systems were already being used in the 1970s when the<br />
OECD Guidelines were drafted, but access was restricted to the companies participating<br />
in them, whereas nowadays individuals can make reservations via the Internet and thus<br />
input their personal data directly.<br />
--The changing role <strong>of</strong> geography. While geography and territoriality are still the key<br />
factors for the application <strong>of</strong> data protection and privacy law, they have become less<br />
important from the business and technological points <strong>of</strong> view. Many companies structure<br />
their operations based on lines <strong>of</strong> business rather than geography, and technology allows<br />
the transfer <strong>of</strong> personal data without regard to national boundaries.<br />
--Growing risks to the privacy <strong>of</strong> individuals. The above developments have all<br />
brought great economic and social benefits to individuals, but have also increased the<br />
risks <strong>of</strong> misuse <strong>of</strong> personal data and <strong>of</strong> violations <strong>of</strong> the law. For example, there has been<br />
explosive growth in the scale and sophistication <strong>of</strong> criminal attacks against users’<br />
personal data conducted via the Internet. 11<br />
Despite these fundamental changes in the data processing landscape, and the growth in<br />
the regulation <strong>of</strong> transborder data flows in numerous countries, there has been little<br />
attempt to conduct a systematic inventory <strong>of</strong> such regulation; to examine the policies<br />
<strong>under</strong>lying it; and to consider whether those policies need to be re-evaluated.<br />
This study is designed to describe the present status <strong>of</strong> transborder data flow regulation,<br />
and to provoke reflection about its aims, operation, and effectiveness, now and in the<br />
future. It was prepared in the context <strong>of</strong> the 30 th anniversary <strong>of</strong> the OECD Guidelines, but<br />
is not specifically designed to evaluate them.<br />
The study first examines the background and history <strong>of</strong> transborder data flow regulation;<br />
analyzes certain issues <strong>of</strong> particular importance; and finally reaches some conclusions<br />
about how such regulation can be made more coherent and effective. The Annex contains<br />
translations <strong>of</strong> data protection and privacy law instruments from around the world that<br />
regulate transborder data flows.<br />
Before beginning, it is important to define the scope <strong>of</strong> the study:<br />
--It only considers legal issues relevant to the regulation <strong>of</strong> transborder data flows. While<br />
other issues (such as economic and social ones) may be equally important, they require<br />
separate analysis.<br />
11 See, e.g., Symantec Corp., ‘Internet Security Threat Report, Volume XV’ (April 2010),<br />
.